Post-Snowden Efforts to Secure N.S.A. Data Fell Short, Report Says

Image

Edward J. Snowden spoke by video to a conference in Estoril, Portugal, in May. The N.S.A. failed to consistently lock racks of servers storing highly classified data and to secure data center machine rooms after the leaks by Mr. Snowden, according to an inspector general report.CreditRafael Marchante/Reuters

WASHINGTON — The government’s efforts to tighten access to its most sensitive surveillance and hacking data after the leaks of National Security Agency files by Edward J. Snowden fell short, according to a newly declassified report.

The N.S.A. failed to consistently lock racks of servers storing highly classified data and to secure data center machine rooms, according to the report, an investigation by the Defense Department’s inspector general completed in 2016. The report was classified at the time and made public in redacted form this week in response to a Freedom of Information Act lawsuit by The New York Times.

The agency also failed to meaningfully reduce the number of officials and contractors who were empowered to download and transfer data classified as top secret, as well as the number of “privileged” users, who have greater power to access the N.S.A.’s most sensitive computer systems. And it did not fully implement software to monitor what those users were doing.

In all, the report concluded, while the post-Snowden initiative — called “Secure the Net” by the N.S.A. — had some successes, it “did not fully meet the intent of decreasing the risk of insider threats to N.S.A. operations and the ability of insiders to exfiltrate data.”

In a statement, Vanee Vines, an N.S.A. spokeswoman, noted the difficulty of building security improvements into the agency’s particularly complex systems while continuing to carry out its work.

“We welcome the observations and opportunities for improvement offered by the U.S. Defense Department’s Inspector General,” she said. “N.S.A. has never stopped seeking and implementing ways to strengthen both security policies and internal controls.”

Underscoring the importance of the warnings in the report, in the same month that it was produced, August 2016, a group calling itself the Shadow Brokers announced that it had obtained and was auctioning off highly classified N.S.A. hacking tools — some of which it later dumped online, forming the basis of a malicious software attack that spread chaos around the world last month.

Also in August, a veteran intelligence contractor, Harold T. Martin III, was charged with copying and bringing home 50 terabytes of confidential data from the N.S.A. and other agencies.

The report portrayed certain aspects of the N.S.A.’s internal controls as particularly sloppy before the Snowden breach in 2013. The inspector general found that the agency was unable to say how many privileged users and officials were empowered to transfer data. Those lists were kept in spreadsheets that had become corrupted and were no longer available.

The agency sought to reduce access by revoking it and requiring users to reapply for credentials. But the inspector general concluded that the step had not significantly reduced the overall number of people with the extraordinary authorities.

The report said the chief information officer of the N.S.A., Gregory L. Smithberger, had cautioned the inspector general that “eliminating all risk of insider threats is not feasible.” In a separate response included with the report, Mr. Smithberger focused on other areas where the agency had succeeded in tightening controls, portraying the inspector general’s broader findings as positive.

“While the media leak events that led to Secure the Net (STN) were both unforeseen and serious, we consider the extensive progress we made in a short time to be a ‘good news’ story,” he wrote.

The inspector general studied how well the agency did in carrying out seven of the initiative’s 40 components. Its report was commissioned by Congress, and though it was deemed classified, the House Intelligence Committee cited a finding from it in a declassified report about the intelligence community’s response to the Snowden disclosures.